Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Subpoena for Signal Messaging Data Renders Little

Open Whisper Systems, the group behind Signal, was served with a subpoena earlier this year but was unable to produce most of the data it was asked for.

Open Whisper Systems, the non-profit group behind the encrypted messaging app Signal, was served with a subpoena for user data earlier this year but since the company keeps such little information on its users, it was unable to produce most of what it was asked for.

The American Civil Liberties Union, which represented the company in court, shared transcripts from the subpoena and other court documents on Tuesday, including a gag order it was able to get lifted.

Neither the ACLU nor OWS could confirm exactly when it received the subpoena, only that it came in the first half of this year and from the the U.S. District Court for the Eastern District of Virginia. The order, part of a federal grand jury proceeding, asked for records on two individuals – only one of which had a Signal account.

According to the subpoena, the government asked for reams of information, such as the user’s name, address, telephone number, any information the company might have about their toll records, upstream and downstream providers, any accounts Signal may have acquired through cookie data.

OWS complied with the order but was only able to provide limited information on the other individual, including the time the account was created and the date they last connected to Signal’s servers.

The only information Signal requires to setup an account is a user’s phone number; the service doesn’t record user conversations, nor does it store information about users’ contacts or any metadata. The group’s hands were tied as to what it could provide in the first place because it said it couldn’t produce information it didn’t have.

The most interesting part of the whole exchange is the ACLU’s fight it made against the government’s gag order, imposed by Magistrate Judge Theresa C. Buchanan, public.

In a letter to the attorney, ACLU staff attorney Brett Max Kaufman calls the order unconstitutional, and not “narrowly tailored to a compelling government interest.”

“The proper role, scope, and limits of government surveillance are quintessential matters of public concern under the First Amendment, and electronic service providers—who have dual roles as custodians of Americans’ private data and as necessary actors in the execution of government surveillance requests—have a critical role to play, and perspective to share publicly, about government surveillance practices,” Kaufman wrote.

The government responded to OWS and the ACLU, and allowed them to publish a copy of the redacted order and related documents, in a superseding order filed last Thursday.

In an ACLU blog post Tuesday morning, Kaufman called the gag “overbroad” and the latest “secrecy overreach” by the government. Kaufman goes on and makes light of the government’s apparent inclination to issue blanket gag orders by default, “without considering precisely what information can be disclosed without harm to its interests.”

“The fact that the government didn’t put up too much of a fight suggests that secrecy—and not transparency—has become a governmental default when it comes to demands for our electronic information, and critically, not everyone has the resources or the ability to work with the ACLU to challenge it,” Kaufman wrote.

OWS said that going forward it will publish transcripts of communication it has around government requests for data in a new section of their site.

The fact that Open Whisper Systems was able to fight the order, win, and publish transcripts around the case is a rarity; companies infrequently disclose when they receive such letters, let alone their contents. The majority of National Security Letters sent from the FBI usually contain a gag order forbidding a company to discuss the contents of the letter unless it’s with an attorney.

Over the last few years, many tech companies have asked the government for the ability to be more transparent when they receive NSLs asking for customer data. In this post Snowden-world, many firms publish semi-annual transparency reports regarding requests, such as subpoenas, they receive from law enforcement and the U.S. government. Yahoo became one of the first companies to disclose the redacted contents of a NSL when it published three letters it received earlier this summer.

The news of Open Whisper Systems’ grand jury subpoena comes just a few days after five members of congress argued in a briefing (.PDF) that the way the FBI handles gag orders is unconstitutional. The main argument of the briefing, filed by Marcia Hofmann – now an attorney at Zeitgeist Law PC, formerly of the Electronic Frontier Foundation is that procedures currently in place for reviewing and terminating NSL nondisclosure orders violate the USA FREEDOM Act. The document was signed off by U.S Representatives Zoe Lofgren (D-Calif.), James Sensenbrenner (R-Wisc.), John Conyers (D-Mich.), Anna Eshoo (D-Calif.), and Ted Poe (R-Texas).

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.